1.11 Basic debugger session

To start debugging a program use the '-d' flag and append the PID or the program path with arguments.

$ radare -d /bin/ls

The debugger will fork and load the 'ls' program in memory stopping the execution in the 'ld.so', so don't expect to see the entrypoint or the mapped libraries at this point. To change this you can define a new 'break entry point' adding 'e dbg.bep=entry' or 'dbg.bep=main' to your .radarerc.

But take care on this, because some malware or programs can execute code before the main.

Now the debugger prompt should appear and if you press 'enter' ( null command ) the basic view of the process will be displayed with the stack dump, general purpose registers and disassembly from current program counter (eip on intel).

All the debugger commands are handled by a plugin, so the 'system()' interface is hooked by it and you will have to supply them prefixing it with a '!' character.

The easiest way to use the debugger is from the Visual mode, so, you will no need to remember much commands or keep states in your mind.

[0xB7F0C8C0]> Visual

After entering this command an hexdump of the current eip will be showed. Now press 'p' one time to get into the debugger view. You can press 'p' and 'P' to rotate thru the most commonly used print modes.

Use F6 or 's' to step into and F7 or 'S' to step over.

With the 'c' key you will toggle the cursor mode and being able to select range of bytes to nop them or set breakpoints using the 'F2' key.

In the visual mode you can enter commands with ':' to dump buffer contents like

x @ esi

To get the help in the visual mode press '?' and for the help of the debugger press '!'.

At this point the most common commands are !reg that can be used to get or set values for the general purpose registers. You can also manipulate the hardware and extended/floating registers.